The CIRT plan helps an organization prepare for incidents. When the organization is prepared, it responds to incidents much quicker and with focused action. One of the primary benefits of the CIRT plan is the identification of CIRT members so that the organization knows who they are and the individuals on the team know their roles and responsibilities. Once the plan and the members have been identified, the organization has a better understanding of the skills needed to support the requirements, and the members can be trained to ensure that they do.

Without the plan, IT and security professionals don’t have the benefit of time to analyze their response. They may pull the NIC cable to stop a DoS attack on a server, and, although doing this will stop the attack, it will also prevent the server from performing the expected service. Uninformed administrators may leave an infected system on the network, which would allow it to infect other systems, or a well-meaning administrator may launch an attack back on an attacker, which may be detected and result in the attacker launching a series of stronger attacks.